Merge "Extend contrail fromula"
diff --git a/.kitchen.travis.yml b/.kitchen.travis.yml
index f847543..25dca5a 100644
--- a/.kitchen.travis.yml
+++ b/.kitchen.travis.yml
@@ -3,4 +3,4 @@
- name: <%= ENV['SUITE'] %>
provisioner:
pillars-from-files:
- neutron.sls: tests/pillar/<%= ENV['SUITE'] %>.sls
+ opencontrail.sls: tests/pillar/<%= ENV['SUITE'] %>.sls
diff --git a/README.rst b/README.rst
index f76fb4c..0f958dc 100644
--- a/README.rst
+++ b/README.rst
@@ -613,7 +613,7 @@
Set up metadata secret for the Vrouter
--------------------------------------
+--------------------------------------
In order to get cloud-init within the instance to properly fetch
instance metadata, metadata_proxy_secret in the Vrouter agent config
@@ -627,6 +627,23 @@
metadata:
secret: opencontrail
+Add auth info for Barbican on compute nodes
+-------------------------------------------
+
+.. code-block:: yaml
+
+ opencontrail:
+ compute:
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: admin
+ password: "supersecretpassword123"
+ tenant: admin
+
+
Keystone v3
-----------
diff --git a/metadata/service/compute/lbaas/barbican.yml b/metadata/service/compute/lbaas/barbican.yml
new file mode 100644
index 0000000..a297c8b
--- /dev/null
+++ b/metadata/service/compute/lbaas/barbican.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ opencontrail_barbican_user_domain: 'default'
+ opencontrail_barbican_project_domain: 'default'
+ opencontrail:
+ compute:
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: "${_param:opencontrail_barbican_user}"
+ password: "${_param:opencontrail_barbican_password}"
+ tenant: "${_param:opencontrail_barbican_tenant}"
+ user_domain: "${_param:opencontrail_barbican_user_domain}"
+ project_domain: "${_param:opencontrail_barbican_project_domain}"
diff --git a/opencontrail/compute.sls b/opencontrail/compute.sls
index c410cd1..7abcf73 100644
--- a/opencontrail/compute.sls
+++ b/opencontrail/compute.sls
@@ -26,6 +26,21 @@
{%- endif %}
+{%- if compute.get('lbaas', {}).get('enabled', False) %}
+
+{%- if compute.lbaas.get('secret_manager', {}).get('engine', 'noop') == 'barbican' %}
+
+/etc/contrail/contrail-lbaas-auth.conf:
+ file.managed:
+ - source: salt://opencontrail/files/{{ compute.version }}/contrail-lbaas-auth.conf
+ - template: jinja
+ - require:
+ - pkg: opencontrail_compute_packages
+
+{%- endif %}
+
+{%- endif %}
+
/etc/contrail/contrail-vrouter-nodemgr.conf:
file.managed:
- source: salt://opencontrail/files/{{ compute.version }}/contrail-vrouter-nodemgr.conf
diff --git a/opencontrail/files/3.0/contrail-lbaas-auth.conf b/opencontrail/files/3.0/contrail-lbaas-auth.conf
new file mode 100644
index 0000000..d175571
--- /dev/null
+++ b/opencontrail/files/3.0/contrail-lbaas-auth.conf
@@ -0,0 +1,16 @@
+{%- from "opencontrail/map.jinja" import compute with context %}
+{%- from "opencontrail/map.jinja" import common with context -%}
+[BARBICAN]
+admin_user={{ compute.lbaas.secret_manager.identity.user }}
+admin_password={{ compute.lbaas.secret_manager.identity.password }}
+admin_tenant_name={{ compute.lbaas.secret_manager.identity.tenant }}
+{%- if common.identity.get('version', '2.0') == "3" %}
+admin_user_domain={{ compute.lbaas.secret_manager.identity.user_domain }}
+admin_project_domain={{ compute.lbaas.secret_manager.identity.project_domain }}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v3
+{%- else %}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v2.0
+{%- endif %}
+{%- if common.identity.region is defined %}
+region={{ common.identity.region }}
+{%- endif %}
diff --git a/opencontrail/files/4.0/contrail-lbaas-auth.conf b/opencontrail/files/4.0/contrail-lbaas-auth.conf
new file mode 100644
index 0000000..d175571
--- /dev/null
+++ b/opencontrail/files/4.0/contrail-lbaas-auth.conf
@@ -0,0 +1,16 @@
+{%- from "opencontrail/map.jinja" import compute with context %}
+{%- from "opencontrail/map.jinja" import common with context -%}
+[BARBICAN]
+admin_user={{ compute.lbaas.secret_manager.identity.user }}
+admin_password={{ compute.lbaas.secret_manager.identity.password }}
+admin_tenant_name={{ compute.lbaas.secret_manager.identity.tenant }}
+{%- if common.identity.get('version', '2.0') == "3" %}
+admin_user_domain={{ compute.lbaas.secret_manager.identity.user_domain }}
+admin_project_domain={{ compute.lbaas.secret_manager.identity.project_domain }}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v3
+{%- else %}
+auth_url=http://{{ common.identity.host }}:{{ common.identity.port }}/v2.0
+{%- endif %}
+{%- if common.identity.region is defined %}
+region={{ common.identity.region }}
+{%- endif %}
diff --git a/opencontrail/map.jinja b/opencontrail/map.jinja
index cbfae68..1fa1c3d 100644
--- a/opencontrail/map.jinja
+++ b/opencontrail/map.jinja
@@ -323,7 +323,6 @@
'vrouter_lls_too_high_threshold': 10,
'vrouter_lls_variation_threshold': 5,
'vrouter_flows_active_too_high_threshold': 1200,
- 'vrouter_flows_created_too_high_threshold': 1000,
'vrouter_flows_discard_too_high_threshold': 1200,
'vrouter_flows_flow_action_drop_too_high_threshold': 100,
'vrouter_flows_frag_err_too_high_threshold': 100,
diff --git a/opencontrail/meta/prometheus.yml b/opencontrail/meta/prometheus.yml
index e3707a6..c53f9c4 100644
--- a/opencontrail/meta/prometheus.yml
+++ b/opencontrail/meta/prometheus.yml
@@ -340,18 +340,6 @@
annotations:
summary: 'Too many vRouter active flows'
description: 'There are too many active vRouter flows on node {{ $labels.host }} (current value={{ $value }}, threshold={%- endraw %}{{ vrouter_flows_active_toohigh_threshold }})'
- ContrailFlowsCreatedTooMany:
- if: >-
- {%- set vrouter_flows_created_toohigh_threshold = monitoring.vrouter_flows_created_too_high_threshold %}
- min(contrail_vrouter_flows_created) >= {{ vrouter_flows_created_toohigh_threshold }}
-{%- raw %}
- for: 2m
- labels:
- severity: warning
- service: contrail-compute
- annotations:
- summary: 'Too many vRouter created flows'
- description: 'There are too many created vRouter flows on node {{ $labels.host }} (current value={{ $value }}, threshold={%- endraw %}{{ vrouter_flows_created_toohigh_threshold }})'
ContrailFlowsDiscardTooMany:
if: >-
{%- set vrouter_flows_discard_toohigh_threshold = monitoring.vrouter_flows_discard_too_high_threshold %}
@@ -424,7 +412,7 @@
annotations:
summary: 'Too many vRouter flows with invalid label'
description: 'There are too many vRouter flows with invalid label on node {{ $labels.host }} (current value={{ $value }}, threshold={%- endraw %}{{ vrouter_flows_invalid_label_toohigh_threshold }})'
- ContrailFlowsQueueLimitExeededTooMany:
+ ContrailFlowsQueueLimitExceededTooMany:
if: >-
{%- set vrouter_flows_flow_queue_limit_exceeded_toohigh_threshold = monitoring.vrouter_flows_flow_queue_limit_exceeded_too_high_threshold %}
min(contrail_vrouter_flows_flow_queue_limit_exceeded) >= {{ vrouter_flows_flow_queue_limit_exceeded_toohigh_threshold }}
diff --git a/tests/pillar/vrouter.sls b/tests/pillar/vrouter.sls
index 13e05e5..d9ba886 100644
--- a/tests/pillar/vrouter.sls
+++ b/tests/pillar/vrouter.sls
@@ -35,4 +35,12 @@
address: 127.0.0.1
port: 6632
ssl:
- enabled: True
\ No newline at end of file
+ enabled: True
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: admin
+ password: "supersecretpassword123"
+ tenant: admin
diff --git a/tests/pillar/vrouter40.sls b/tests/pillar/vrouter40.sls
index f19ce4e..16cdcff 100644
--- a/tests/pillar/vrouter40.sls
+++ b/tests/pillar/vrouter40.sls
@@ -44,3 +44,11 @@
port: 6632
ssl:
enabled: True
+ lbaas:
+ enabled: true
+ secret_manager:
+ engine: barbican
+ identity:
+ user: admin
+ password: "supersecretpassword123"
+ tenant: admin